PHP :: Bug #22890 :: CLI setuid scripts don't run setuid

Bug #22890	CLI setuid scripts don't run setuid
Submitted:	2003-03-26 03:27 UTC	Modified:	2003-03-26 09:38 UTC
From:	gavin at itmerge dot com	Assigned:
Status:	Not a bug	Package:	CGI/CLI related
PHP Version:	4.3.1	OS:	Linux 2.4.18
Private report:	No	CVE-ID:	None

View Developer Edit

[2003-03-26 03:27 UTC] gavin at itmerge dot com

/* my sample script is */
 
#!/usr/local/bin/php
<?php
echo posix_getmyeuid()."\n";
?>

/*
root#chown root.vhost /scripts/myscript
root#chmod 4710 /scripts/myscript
root#useradd -u 1001 gavin
root#usermod gavin -G vhost
root#logout
gavin$/scripts/myscript
1001
gavin$

i had to create /usr/local/bin/setuid_php
and chmod 4710 it to be able to make my php scripts run setuid root (i'm not a perl person i don't know if perl supports setuid but I know scripts that i pass thru 
/bin/zsh support setuid)

I don't really like having that script there :0 
because A, I'm learning but i'm learing quickly
that the more "permissions" you have the 
more you're likely to get a stuck up the rear end
and essentially that lets anyone become god on my system who might find it, I think i'm going to go move it outside of /usr/local/bin right now


*/

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-03-26 04:05 UTC] gavin at itmerge dot com

whoops spelt posix_geteuid(); wrong :P

[2003-03-26 09:36 UTC] edink@php.net

Modern kernels on Unix and Unix-like operating systems simply ignore set uid bit on shebang scripts (those that begin with #!).

Some interpreters (like perl) choose to implement workaraounds, but if you really need to make a script suid, it is very easy to achieve so with a simple C wrapper program.

There are no plans to implement any perl-like workaround in PHP at the present time.

[2003-03-26 09:38 UTC] iliaa@php.net

Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

Uid of the binary, which is PHP is what matters, the script's uid does not matter since it is a parameter.

[2010-06-13 03:21 UTC] php at richardneill dot org

In 2003, the response was:
  "There are no plans to implement any perl-like workaround in PHP at the
  present time."

Might I request that, 7 years later, and with much increased use of php as a general-purpose scripting language, it might be worth re-visiting this?

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri May 09 14:01:27 2025 UTC